[HOME]

Malware Galore!!

4:10 PM Thursday, November 15, 2007

Been busy the last couple of weeks. Had to clear of a serious malware infection. Its one where a yellow triangle appears in the notification area, down by the clock, it has an exclamation mark in it, and to top it all of, messages keep popping up claiming that there is an infection and it trys to encourage me to go to a certain site and download a antivirus program to fix the infection.

Of course, this popup notice is the infection. This was on my Uncle's computer. He didn't have any spyware or antivirus protection. I originally never planned to write this up so I forgotten some of the details.

Critical System Error
Warning!! The system is restored after critical error. Error code is 0X01FFEFAC. System safety critically lowered now. Install system Error Fixer and Trusted Antivirus Now?

I installed AVG Antivirus and Adaware. I updated them on my computer and then burned the install programs and the update files on a CD. Its usually recommened to disconnect from the internet when trying to fix such problems. Also my Uncle still has only a dial-up connection. The first update, especially from a antivirus program is usually large, and I figured that the malware would try to interfere anyway.

Its recommended to turn off System Restore. Its like a automatic backup in Windows that started with Windows ME. Disabling it will delete any restore points tha may be infected with the malware that you are trying to get rid of.

The procedure for WinME:

Click on Start then Settings then Control Panel. Click on View all Control Panel options then double-click on the System icon.

On the Performance tab, click on File System. On the Troubleshooting tab check Disable System Restore then OK. You will have to restart.

The procedure for WinXP:

Click on Start then Settings then Control Panel. Click on View all Control Panel options then double-click on the System icon.

Click on the System restore tab and check to option to Turn off System Restore. Restart if requested.

Just reverse this after you are finished.

Here are a few details that I can offer(from sketchy notes and even sketchier memory) :-);

  1. With the internet connection disabled, I clicked on the pop-up message to see where it would take me. It tried to go to:

    privacy.pcprivacytool.com/MTgwNDQ=/2/6190/ed=1/ex=1/10044

    PCPrivacyTool is a fake scanner that finds problems when there are none. It tries to convince you to buy a full program to get rid of other supposedly parisites. It is a parasite.

  2. Hijackthis (www.merijn.org/programs.php or http://www.bleepingcomputer.com/files/hijackthis.php) is a tool that tries to help you remove unauthorized software (malware, spyware, adware, etc...) from your system. Its like a manual adware remover. It gives you a list of what's running in the background, and you have to pick and chose what is bad or not.

    Unfortunately, most people seem to barely know about the automatic spyware removers, like, Ad-Aware - http://www.download.com/3000-2144-10045910.html and Spybot http://www.safer-networking.org/.

    This is what to look for.

    F2 - REG:system.ini: Shell=Explorer.exe c:\WlNDOWS\shell.exe

    04 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe

    04 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe

    04 - Startup: findfast.exe

    04 - Global Startup: autorun.exe

  3. I checked the option to delete theses and even hunted for the files indicated on my computer and deleted them. When I clicked on Start then Programs and then Start. I found and deleted the findfast.exe and autorun.exe shortcuts, but it all kept coming back as quick as I could delete it.

    Please note: there is a legitimate service called spoolsv.exe. Its a common practice for malware/adware producers to use similar spelling names to legitimate process. The legitimate one... think - spoolSerVice. S comes before V. If the V comes first its a fraud. Try to get rid of it.

  4. Couldn't delete it manually, so I went online and downloaded these 2 utilities. Print up the instructions on the sites, download the utilities.

    SmitfraudFix.exe - http://siri.geekstogo.com/SmitfraudFix.php

    SDFix.exe - http://savemybutt.com/how-to-use-sdfix.exe.html

  5. Can't remember which one actually did the job, I tried them both. So can you.

It worked. Then a guy in another apt called. He had a similar problem. Again no Antivirus or adware remover.

  1. Installed AVG first. Ran a scan and removed over 500 trojan files. NO! This is not a misprint.
  2. After installed and ran Adaware. Can't remember how many things where removed but unfortunately it didn't remove this infection. Ran the two same programs on his computer that I did on my Uncles. Didn't work this time.

    found instances like this in the Hijackthis log:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.the-exit.com/search .

    Some sites claim the www.the-exit.com is part of the Cool Web search malware. You may need the Cool Web Shredder (cwshredder - see link below).

    An Updated Adaware or Spybot program might be able to take care of these, otherwise try:

  3. Went online hunting for info and downloaded the following;

    cwshredder - http://savemybutt.com/downloads.html . While there on the download page, follow the links for the antivirus and adware programs, if you don't have any on your system already.

    vundofix - http://www.softpedia.com/get/Antivirus/VundoFix.shtml

    tried them both and the problem was solved.

Then my sister called, another rouge malware product. This one called MalwareAlarm.

  1. This time I went to taskmanger and disable any references to the program.
  2. I went to add/remove and uninstalled the program.
  3. I used hijackthis to remove any references that didn't look right, including the following:

O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

O4 - HKCU\..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe

I got lucky this time. I didn't have to go any further than that.

Other links to help get rid of MalwareAlarm:

http://www.spywareremove.com/removeMalwareAlarm.html

http://forum.securitycadets.com/index.php?showtopic=3938

Missing Wallpapers

Then she called again because she couldn't add a background picture on here desktop.

In this case, I had to dig into the registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\System
"Wallpaper"=

There was no listing, so I right-clicked on the word Wallpaper and deleted it. Wallpapers are back - Wallpaper in this case is just your background picture on your computer and the term desktop simply refers to your computer background.... just in case your completely new at this.